This week, Palo Alto released a patch for PAN-OS’ vulnerability (CVE-2022-0028). This vulnerability is actively being targeted by threat actors. Firewalls running PAN-OS could permit an attacker to perform a Denial-of-Service (DoS) attack. Barracuda MSP recommends updating affected Palo Alto products with this patch as soon as possible.
Technical Detail & Additional Information
What is the threat?
Within PAN-OS, the URL filtering policy was misconfigured which allows an attacker to perform reflected and amplified TCP DoS attacks. This technique often exploits TCP non-compliance in middleboxes which can be used to reflect an attacker’s request onto their intended target. Once exploited, attackers can perform DoS attacks, giving an attacker the ability to flood a target with requests. This will ultimately crash the machine, making it inaccessible to its intended users.
Why is it noteworthy?
PAN-OS is a proprietary operating system of Palo Alto, and is used in over 150 countries. This vulnerability affects devices running various versions of PAN-OS 8.1, 9.0, 9.1, 10.0, 10.1, and 10.2 specifically. For CVE-2022-0028, it received a Common Vulnerability Scoring System (CVSS) score of an 8.6. This is considered a high score and recommends immediate action.
What is the exposure or risk?
When exploited, a DoS attack can be performed. According to Palo Alto’s advisory published recently, “If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting DoS attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.” The resulting DoS attack can potentially result in a loss of availability for the attacker-specified target if that target lacks sufficient DoS protection. A way to notice if your devices have been attacked is if there is an abnormal increase in URL Filtering Logs with a block action that has many retries by the same set of external source IP addresses.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate this vulnerability on your Palo Alto products:
- Apply the latest security update to affected devices.
- If a DoS attack were to take place, consider the following workaround Packet-based attack protection including both (Packet Based Attack Protection > TCP Drop > TCP SYN with Data) and (Packet Based Attack Protection > TCP Drop > Strip TCP Options > TCP Fast Open).
- Also consider: Flood protection (Flood Protection > SYN > Action > SYN Cookie) with an activation threshold of 0 connections (It is not necessary nor advantageous to apply both the attack and flood protections).
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://security.paloaltonetworks.com/CVE-2022-0028
- https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- https://cwe.mitre.org/data/definitions/406
- https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-based-attack-protection
- https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles/flood-protection
- https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/
- https://www.akamai.com/blog/security/tcp-middlebox-reflection
- https://www.paloaltonetworks.com/about-us
- https://nvd.nist.gov/vuln-metrics/cvss
If you have any questions, please contact our Security Operations Center.